[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Package management unsafe?

Maybe a check should be added to APT to flag a warning if there has been no updates for a significant period of time? That way if a mirror ever does that, its more detectable.

On Fri, Jul 11, 2008 at 8:55 AM, Steinar H. Gunderson <sgunderson@bigfoot.com> wrote:
> On Fri, Jul 11, 2008 at 07:36:44AM -0500, Ron Johnson wrote:
>> http://www.cs.arizona.edu/people/justin/packagemanagersecurity/attacks-on-package-managers.html
>> What are people's thoughts on this?
> It's been known for quite a while. (I asked one of the guys publishing it,
> and he was fully aware of that, but felt it was still important to bring
> light to it.)
> In any case, it's pretty hard to exploit as long as you have security updates
> on a different (trusted) server. The best thing you can do is DoS the process
> so the user's package management software crashes, or simply never update
> your mirror so users don't get updates.
> /* Steinar */
> --
> Homepage: http://www.sesse.net/
> --
> To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to: